Background Information
I recently went through this tutorial to set up NextCloud on the Raspberry Pi and found the install to go super smooth.
Now I know I can get NextCloud set up on my system I plan on doing a fresh install with the intention of hardening the security.
My Question
Is there anything that I should be doing when following the installation tutorial to tighten up my security?
I have seen a few people mention to not putting things in the default directory but I am not sure exactly what I would need to do when following the tutorial. If anyone could give me pointers that would be helpful.
Any other pointers you can give me to improve my security would also be very helpful.
Actually, thinking about it, the page I linked to is really the more advanced security stuff. The first thing that you should really check is that youāre using strong directory permissions (thereseās a script on that doc page to do it for you). Just remember to adjust these before you upgrade (you can see how on the upgrade doc page)
Against brute force attacks I can additionally highly recommend to change your SSH port, if this is the way you access your Pi.
Having the standard port 22 for this, fail2ban had a hard job, often banned IPs from around the world. I switched to another port about one year ago and had NO SINGLE brute force attempt since then. The standard brute force bots just try on port 22 ;). The only problem you might face, is that some opened internet accesses from work places, public institutions like universities etc. only allow outgoing connections on standard ports. My university i.e. allows port 22, but my new SSH port is blocked by them. But I anyway prefer to access my server from local network.
If your Pi is connected via router, you can simply achieve this by change the port forwarding in your router setting to forward the port of your choice to port 22 of your Pi.
Alternative solution is to change the port on the Pi, adjusting /etc/ssh/sshd_config and do #service sshd restart the use the new config. In case of course you also need to adjust the port forwarding afterwards.
To make SSH even more secure, you should consider to use key authentication instead of user/password:
Use āPuttyGenā on your remote system to create a key pair, better change key size to 4096. For more security but less comfort also save the key with some pass phrase.
Store the private key somewhere hidden on your remote system.
Login via SSH to your Pi, create the āauthorized_keysā (see below) and copy paste the public key string that is given by PuttyGen:
mkdir ~/.ssh
nano ~/.ssh/authorized_keys
Adjust the ssh config to allow key authentication:
In Putty settings add the private key, that you saved on your system before: Putty/Connection/SSH/Auth
Try to access and see if key authentication works fine. If so, you can disable user/password authentication by changing the Pis ssh config again:
sudo nano /etc/ssh/sshd_config
PasswordAuthentication no
If you use remote desktop or stuff like that to access you Pi, I highly recommend to use your SSH to tunnel these less secure connections. So the only opened ports need to be the chosen SSH port and of course 80+443 for web access.
Just adding that lines will not break something. But as your Pis memory is limited, I would not mount /var/tmp to ram anyway. It is, as far what I found on search machines, often larger than /tmp and more for long term storage and therefore fits more to the hard drive on low ram systems like Pi. (Source)
To mount /tmp to ram on the other hand, there is another way on raspbian:
sudo nano /etc/defaults/tmpfs
RAMTMP=yes
So add āRAMTMP=yesā. This may do exactly the same than manually mounting in fstab, dunno ;).
Yes, in case of Raspberry Pi at least mounting of /var/tmp to ram will not have much performance benefit and otherwise could lead to performance decrease if ram is full, depending on how intense (amount of users) you use nextcloud or otherwise use your Pi.
And yes, it has nothing to do with security. Was already thinking how to topic moved to fstab .